b'         OFFICE OF INSPECTOR GENERAL \n\n\n\n\n                                 Catalyst for Improving the Environment\n\n\nAudit Report\n\n\n\n\n       Information Security Series:\n       Security Practices\n\n       Safe Drinking Water Information\n       System\n\n       Report No. 2006-P-00021   \n\n\n       March 30, 2006     \n\n\x0cReport Contributors:      Rudolph M. Brevard\n                          Charles Dade\n                          Neven Morcos\n                          Jefferson Gilkeson\n                          Scott Sammons\n\n\n\n\nAbbreviations\n\nASSERT       Automated Security Self-Evaluation and Remediation Tracking Tool\nC&A          Certification and Accreditation\nEPA          U.S. Environmental Protection Agency\nFISMA        Federal Information Security Management Act\nNCC          National Computer Center\nOIG          Office of Inspector General\nOMB          Office of Management and Budget\nOW           Office of Water\nPOA&M        Plan of Action and Milestones\nRTP          Research Triangle Park\nSDWIS        Safe Drinking Water Information System\n\x0c                       U.S. Environmental Protection Agency                                                2006-P-00021\n\n                       Office of Inspector General                                                        March 30, 2006\n\n\n\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\nWhy We Did This Review           Information Security Series: Security Practices\nAs part of our annual audit of\n                                 Safe Drinking Water Information System\nthe Environmental Protection\nAgency\xe2\x80\x99s (EPA\xe2\x80\x99s)                 What We Found\ncompliance with the Federal\nInformation Security             We found that the Office of Water (OW) substantially complied with many of the\nManagement Act (FISMA),          information security controls reviewed and had implemented practices to ensure\nwe reviewed the security         production servers are monitored for known vulnerabilities, physical access controls\npractices for a sample of key    are adequate, and personnel with significant security responsibility completed the\nAgency information systems,      Agency\xe2\x80\x99s recommended specialized security training. However, we found that the\nincluding the Office of          Safe Drinking Water Information System (SDWIS), a major application, did not have\nWater\xe2\x80\x99s (OW\xe2\x80\x99s) Safe              complete certification and accreditation documents. In addition, the contingency plan\nDrinking Water Information       did not contain all elements specified by Federal and Agency requirements. OW\nSystem (SDWIS).                  officials could have discovered the identified weaknesses had the office reviewed its\n                                 implemented practices for completing these requirements. As a result, SDWIS had\nBackground                       security control weaknesses that could affect OW\xe2\x80\x99s operations, assets, and individuals.\n\nFISMA requires agencies to       What We Recommend\ndevelop policies and\nprocedures commensurate          We recommend that the SDWIS System Owner:\nwith the risk and magnitude\nof harm resulting from the       \xc2\xbe\t Complete the independent review of security controls, complete a full formal risk\nmalicious or unintentional          assessment of SDWIS, and update the certification and accreditation package.\ndamage to the Agency\xe2\x80\x99s\ninformation assets. SDWIS        \xc2\xbe\t Update and test the SDWIS contingency plan and implement a process to\nsupports EPA\xe2\x80\x99s initiative to        periodically test and maintain the plan.\nprotect public health by\nallowing EPA to provide a        \xc2\xbe\t Develop a Plan of Action and Milestones in the Agency\xe2\x80\x99s security weakness\nrepository of national public       tracking system (ASSERT database) for all noted deficiencies.\ndrinking water data to\ninterested stakeholders.         We recommend that the OW Information Security Officer:\n\n                                 \xc2\xbe Conduct a review of OW\xe2\x80\x99s information security oversight processes.\nFor further information,\ncontact our Office of\nCongressional and Public\n                                 OW agreed with the report\xe2\x80\x99s findings, indicated that it was in the process of\nLiaison at (202) 566-2391.       completing the risk assessment, and expected to complete the assessment by the end of\n                                 March 2006. OW also stated it would update and test the SDWIS contingency plan as\nTo view the full report,         a follow-up to the formal risk assessment. OW expressed concerns that some of the\nclick on the following link:     findings could give a misleading picture of the security of SDWIS at the time of our\nwww.epa.gov/oig/reports/2006\n/20060330-2006-P-00021.pdf       review and we updated the report to reflect efforts OW took to address the findings.\n                                 OW\xe2\x80\x99s complete response is in Appendix A.\n\x0c                      UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                   WASHINGTON, D.C. 20460\n\n\n\n                                                                                       OFFICE OF\n                                                                                  INSPECTOR GENERAL\n\n\n\n                                         March 30, 2006\n\nMEMORANDUM\n\nSUBJECT: \t            Information Security Series: Security Practices\n                      Safe Drinking Water Information System\n                      Report No. 2006-P-00021\n\nFROM: \t               Rudolph M. Brevard /s/\n                      Director, Information Technology Audits\n\nTO:        \t          Benjamin H. Grumbles\n                      Assistant Administrator for Water\n\n\nThis is our final audit report on the information security controls audit of the Office of Water\xe2\x80\x99s\nSafe Drinking Water Information System. This audit report contains findings that describe\nproblems the Office of Inspector General (OIG) has identified and corrective actions the OIG\nrecommends. This audit report represents the opinion of the OIG, and the findings in this audit\nreport do not necessarily represent the final Environmental Protection Agency (EPA) position.\nEPA managers, in accordance with established EPA audit resolution procedures, will make final\ndeterminations on matters in this audit report.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 90 calendar days of the date of this report. You should include a corrective action\nplan for agreed upon actions, including milestone dates. We have no objection to further release\nof this report to the public. For your convenience, this report will be available at\nhttp://www.epa.gov/oig.\n\nIf you or your staff has any questions regarding this report, please contact me at (202) 566-0893.\n\x0c                                       Table of Contents \n\nAt a Glance\n\nPurpose of Audit\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6...                                                                                       1\n\nBackground\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6                                                                                             1\n\nScope and Methodology .....................................................................................................              2\n\nSDWIS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements ........................                                                 3\n\n     Certification and Accreditation \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.. .............................................................                             4\n     Contingency Planning \xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6\xe2\x80\xa6.                                                                                  4\n\nRecommendations...............................................................................................................           5\n\nAgency Comments and OIG Evaluation ............................................................................                          5\n\n\n\nAppendices\nA     Agency Response to Draft Report .............................................................................                      7    \n\n\nB     Distribution ...................................................................................................................   9\n\n\x0cPurpose of Audit\n          Our objective was to determine whether the Office of Water\xe2\x80\x99s (OW\xe2\x80\x99s) Safe\n          Drinking Water Information System (SDWIS) complied with Federal and Agency\n          information system security requirements. SDWIS supports EPA\xe2\x80\x99s initiative to\n          protect public health by allowing EPA to provide a repository of national public\n          drinking water data to interested stakeholders to enable them to monitor the\n          quality of the Nation\xe2\x80\x99s drinking water.\n\nBackground\n          We conducted this audit pursuant to Title III of the E-Government Act of 2002,\n          commonly referred to as the Federal Information Security Management Act\n          (FISMA). FISMA requires the Agency to develop policies and procedures\n          commensurate with the risk and magnitude of harm resulting from the malicious\n          or unintentional damage to the Agency\xe2\x80\x99s information assets. EPA\xe2\x80\x99s Chief\n          Information Officer is responsible for establishing and overseeing an Agency-\n          wide program to ensure the security of its network infrastructure consistent with\n          these requirements. Program offices are responsible for managing the\n          implementation of these security requirements within their respective\n          organizations.\n\n          Program offices should create a Plan of Action and Milestones (POA&M) when it\n          identifies security control weaknesses. The POA&M, which documents the\n          planned remediation process, is recorded in the Agency\xe2\x80\x99s Automated Security\n          Self-Evaluation and Remediation Tracking (ASSERT) tool. ASSERT is used to\n          centrally track remediation of weaknesses associated with information systems\n          and serves as the Agency\xe2\x80\x99s official record for POA&M activity.\n\n          FISMA requires the Inspector General, along with the EPA Administrator, to\n          report annually to the Office of Management and Budget (OMB) on the status of\n          EPA\xe2\x80\x99s information security program. The OIG provided the results of its review\n          to OMB in Report No. 2006-S-00001, Federal Information Security Management\n          Act, Fiscal Year 2005 Status of EPA\xe2\x80\x99s Computer Security Program.\n\n          During our annual FISMA review, we selected one major application each from\n          five EPA program offices and reviewed the office\xe2\x80\x99s security practices surrounding\n          these applications. Our review noted instances where EPA could improve its\n          security practices overall and the OIG reported the results to EPA\xe2\x80\x99s Chief\n          Information Officer in Report No. 2006-P-00002, EPA Could Improve Its\n          Information Security by Strengthening Verification and Validation Processes.\n\n          This audit report is one in a series of reports being issued to the five program\n          offices that had an application reviewed. This report addresses findings and\n          recommendations related to security practice weaknesses identified in OW. In\n          particular, this report summarizes our results regarding how OW implemented\n\n\n                                           1\n\n\x0c         Federal and EPA information security policies and procedures. This report also\n         includes our evaluation of how OW implemented, tested, and evaluated\n         information security controls to ensure continued compliance with Federal and\n         Agency requirements for selected security objectives. The Scope and\n         Methodology section contains the specific security objectives we audited.\n\nScope and Methodology\n         We conducted our field work from March 2005 to July 2005 at EPA Headquarters\n         in Washington, DC, and the National Computer Center (NCC), Research Triangle\n         Park (RTP), North Carolina. We interviewed Agency officials at both locations\n         and contract employees at the NCC. We reviewed relevant Federal and Agency\n         information security standards. We reviewed application security documentation\n         to determine whether it complied with selected standards. We reviewed system\n         configuration settings and conducted vulnerability testing of servers for known\n         vulnerabilities. We reviewed training records for personnel with significant\n         security responsibilities.\n\n         During the audit, OW was operating two production versions of SDWIS:\n\n              x\t SDWIS-current, a mainframe-based application hosted at the NCC in\n                 RTP, North Carolina; and\n\n              x\t SDWIS-modern, a Web-enabled, tiered application also hosted at the\n                 NCC in RTP, North Carolina.\n\n         OW replaced SDWIS-current with the SDWIS-modern system. When OW\n         placed the SDWIS-modern system into production, the office operated it in\n         parallel with the SDWIS-current application. We only evaluated the SDWIS-\n         modern application for compliance with Federal and Agency requirements and all\n         references to SDWIS, in this report, pertain to the SDWIS-modern application.\n\n         We assessed the following security practices for SDWIS:\n\n              x\t Security Certification and Accreditation (C&A) practices -- We\n                 reviewed SDWIS\xe2\x80\x99 C&A package to determine whether the security plan\n                 was updated and re-approved at least every 3 years and the application\n                 was reauthorized at least every 3 years, as required by OMB Circular\n                 A-130 and EPA policy.\n\n              x\t Application contingency plans -- We reviewed SDWIS\xe2\x80\x99 contingency\n                 planning practices to determine whether it complied with requirements\n                 outlined in EPA Directive 2195A1 (EPA Information Security Manual),\n                 National Institute of Standards and Technology Special Publication\n                 800-34 (Contingency Planning Guide for Information Technology\n\n\n\n                                         2\n\n\x0c                  Systems), and EPA Procedures Document (Procedures for Implementing\n                  Federal Information Technology Security Guidance and Best Practices).\n\n              x\t Security controls -- We reviewed two areas of security controls (1)\n                 system vulnerability monitoring, which included conducting\n                 vulnerability testing, and (2) physical access controls. OW operates\n                 SDWIS servers in its Washington, DC, Headquarters and at the NCC in\n                 RTP. At the Headquarters office, we evaluated the location for both\n                 system vulnerability monitoring and physical access controls. At the\n                 NCC, we only evaluated system vulnerability monitoring. We did not\n                 evaluate physical access controls at the NCC, because the NCC was\n                 undergoing an audit of these controls at the time of our review. This\n                 audit identified instances where EPA could improve its physical controls\n                 at RTP and the OIG reported the results in Report No. 2006-P-00005,\n                 EPA Could Improve Physical Access and Service\n                 Continuity/Contingency Controls for Financial and Mixed-Financial\n                 Systems Located at its Research Triangle Park Campus.\n\n              x\t Annual Training Requirements -- We reviewed whether employees\n                 with significant security responsibilities satisfied annual training\n                 requirements.\n\n         We conducted this audit in accordance with Government Auditing Standards,\n         issued by the Comptroller General of the United States.\n\nSDWIS\xe2\x80\x99 Compliance with Federal and Agency Security Requirements\n         The SDWIS production servers were being monitored for known vulnerabilities,\n         physical access controls were adequate, and personnel with significant security\n         responsibility had completed the Agency\xe2\x80\x99s recommended specialized security\n         training. Our audit (1) noted that SDWIS had weaknesses related to key security\n         practices, and (2) highlighted areas where OW should place more emphasis to\n         comply with established information security requirements. OW officials could\n         have discovered these weaknesses had they implemented procedures to ensure\n         that Federal and Agency information security requirements were followed. In\n         particular, SDWIS had the following information security planning weaknesses:\n\n              x\t The C&A package did not contain a completed independent review of\n                 SDWIS\xe2\x80\x99 security controls and a completed full formal risk assessment.\n\n              x\t The contingency plan did not contain fully developed essential elements\n                 identified by Federal and Agency guidance and was not tested.\n\n         Preparing and maintaining updated C&A documents and contingency plans help\n         to ensure the Agency\xe2\x80\x99s network infrastructure is adequately protected. These\n         widely recognized preventive controls aid in reducing the likelihood that security\n\n\n                                          3\n\n\x0cincidents will occur and by not emphasizing these key security controls, OW\nplaces the integrity and availability of SDWIS at risk. In addition, testing these\ncontrols provides management with assurance that the controls are adequately\nimplemented and working as intended. For example, an inadequately designed\nsecurity control could result in a breach in SDWIS\xe2\x80\x99 security and result in reduced\nsystem availability or affect the integrity of the system\xe2\x80\x99s data. This could hinder\nthe ability of Federal officials and other stakeholders to use SDWIS to monitor\nthe quality of the Nation\xe2\x80\x99s drinking water.\n\nCertification and Accreditation\n\nWe found areas where OW could implement more comprehensive procedures to\nensure C&A documents are complete. Specifically, the system owners had not\nconducted an independent review of SDWIS\xe2\x80\x99 security controls and performed a\nfull formal risk assessment of SDWIS prior to authorizing the application for\noperation as required by Federal and Agency guidance.\n\nThe information used by OW officials to make the initial authorization decision is\ncontained in the SDWIS C&A package, which includes documents such as the\nmost recent system security plan, authorization for operation, test of implemented\nsecurity controls, and risk assessment. These documents support the OW risk\nmanagement process and are necessary for senior OW officials to decide whether\nSDWIS\xe2\x80\x99 security controls are sufficient, and if adjustments to security controls\nare necessary before authorizing SDWIS for operation.\n\nDuring our audit, OW was conducting a Capital Planning and Investment Control\nreview of SDWIS. OW officials indicated that the review highlighted the need to\nconduct a risk assessment, and to prepare and implement a risk management plan\nfor all aspects of SDWIS. OW officials indicated an assessment would identify\nweaknesses that need to be addressed, and that they will address these through a\nprocess of defining each weakness and establishing a POA&M to deal with each\none. OW officials indicated the risk assessment would be completed in March\n2006.\n\nContingency Planning\nWe found that OW could improve its contingency planning procedures for\nSDWIS. Although OW had included a contingency planning section in the\nSDWIS security plan, OW had not fully developed the plan to include essential\nelements that make up an effective contingency plan as outlined in Federal and\nAgency guidance. In addition, OW had not conducted a test of the contingency\nplanning procedures outlined in the security plan. OW stated that they would\nupdate and test the SDWIS contingency plan as a follow-up to the formal risk\nassessment performed during March 2006.\n\n\n\n\n                                 4\n\n\x0c         An effective contingency plan should include Supporting Information, a\n         Notification/activation phase, a Recovery Phase and a Reconstitution phase.\n         Federal and EPA standards require that plans be (1) reviewed and tested annually,\n         and (2) updated as necessary when changes in business needs, technology, or new\n         internal or external policies occur. Testing the plan would enable OW to become\n         familiar with the recovery steps and help management identify where additional\n         emphasis is needed.\n\nRecommendations\n         We recommend that the Safe Drinking Water Information System (SDWIS)\n         System Owner:\n\n            1.\t Complete the independent review of SDWIS\xe2\x80\x99 security controls, complete a\n                full formal risk assessment of SDWIS, and update the certification and\n                accreditation package in accordance with Federal and Agency\n                requirements.\n\n            2.\t Update and test the SDWIS contingency plan in accordance with Federal\n                and EPA requirements; implement a process to test the plan annually; and\n                update the contingency plan whenever significant changes occur to the\n                system, supported business processes, key personnel, or the contingency\n                plan itself.\n\n            3.\t Develop a Plan of Action and Milestones in the Agency\xe2\x80\x99s security\n                weakness tracking system (ASSERT database) for all noted deficiencies.\n\n         We recommend that the Office of Water (OW) Information Security Officer:\n\n            4.\t Conduct a review of the information security oversight processes within\n                OW and develop and implement a plan to implement needed process\n                improvements.\n\nAgency Comments and OIG Evaluation\n         The Office of Water (OW) agreed with our finding that the Safe Drinking Water\n         Information System (SDWIS) had not undergone a risk assessment and the office\n         indicated that it has plans to complete the assessment. OW did not agree that\n         SDWIS\xe2\x80\x99 security plan did not accurately reflect the system\xe2\x80\x99s appropriate\n         operational status, citing differences between how OW and the EPA\xe2\x80\x99s Chief\n         Information Officer define a \xe2\x80\x9cproduction\xe2\x80\x9d system. OW contends that at the time\n         of our review, SDWIS did not have substantiated data in the system and provided\n         additional detail regarding SDWIS\xe2\x80\x99 implementation. We modified the report to\n         update the section related to SDWIS\xe2\x80\x99 operational status and to reflect efforts OW\n         took to address the findings.\n\n\n\n                                         5\n\n\x0cOW did not agree with our finding that SDWIS did not have a contingency plan\nand provided additional information on the system\xe2\x80\x99s plan. Although OW\ndocumented some contingency planning information, our research disclosed that\nthe information provided was not fully developed as required by Federal and\nAgency requirements. OW\xe2\x80\x99s complete response is in Appendix A.\n\n\n\n\n                               6\n\n\x0c                                                                                     Appendix A\n\n                  Agency Response to Draft Report\nMEMORANDUM\n\nSUBJECT:       Draft Audit Report Information Security Series: Security Practices\n               Safe Drinking Water Information System\n               Assignment No. 2005-000661\n\nFROM:          Benjamin H. Grumbles\n               Assistant Administrator, Office of Water\n\nTO:            Rudolph M. Brevard\n               Director, Information Technology Audits\n\n\n        Thank you for the opportunity to respond to the draft Audit Report on Security Practices\npertaining to the Safe Drinking Water Information System (SDWIS). While we found your\nreview instructive relative to the requirements of the Federal Information Security Management\nAct (FISMA), we believe that your draft Audit Report gives a misleading picture of the security\nof SDWIS at the time of your review.\n\n         At the time of your review, the Office of Water (OW) had in place approved security\nplans consistent with the status of the various system components. As you know, OW has been\nmodernizing the entire SDWIS data flow since 2001, and that modernization was still underway\nat the time you conducted your review. Key points that I believe conflict with your office\xe2\x80\x99s\nevaluation include:\n\n       Even though SDWIS/Federal (the system in use at the time of your review) and\n       SDWIS/Operational Data System (ODS) (the system under development) were operating\n       in parallel, the data in SDWIS/ODS were test data and were not available to the public,\n       peers, educational institutions or other federal agencies. These data were strictly for test\n       purposes, and were maintained in separate test environment. Hence the SDWIS/ODS\n       was under development as described in the OW security plan.\n\n       OW defines \xe2\x80\x9cproduction\xe2\x80\x9d differently than the Office of Environmental Information\n       (OEI). OEI defines a system as in \xe2\x80\x9cproduction\xe2\x80\x9d when the relevant server is connected to\n       the network. However, OW does not consider a system to be in production until we have\n       substantiated data that we can provide to our peers. In the case of SDWIS/ODS, at the\n       time of your review, OW did not have substantiated data in the system, and thus we did\n       not consider the system to be in production.\n\n       The SDWIS security plan in place at the time of your review appropriately covered\n       SDWIS in its status of \xe2\x80\x9cunder development, and included a contingency planning\n       process.\n\n\n                                                7\n\n\x0c        I would also like to note that at the time of your review, OW was also responding to the\nOffice of Management and Budget\xe2\x80\x99s Capital Planning and Investment Control (CPIC) review of\nSDWIS. The CPIC review highlighted the need to conduct a risk assessment, and to prepare and\nimplement a risk management plan for all aspects of SDWIS. We are in the process of\ncompleting that assessment now and expect to be finished in March 2006. In addition, as\nrequired by FISMA, OW has been conducting a self-assessment of SDWIS. The results of this\nself assessment will be documented in the Agency\xe2\x80\x99s Automated Security Self Evaluation and\nRemediation Tracking (ASSERT) system. Along with the self-assessment, Plans of Actions and\nMilestones will be documented in ASSERT. OW expects to complete this effort by the end of\nMarch 2006. The information in ASSERT will be used by OW for continuous monitoring of the\noverall security of SDWIS, in keeping with the use of ASSERT as the Agency\xe2\x80\x99s standard for\nimplementing continuous security self-assessments. For example, OW undertakes tabletop\nexercises, and documents the results of those exercises in ASSERT, as part of our annual\ncontingency planning.\n\n       We look forward to continuing to work with you and your staff on these important issues.\nWe will also be sending you under separate cover a more detailed set of technical comments for\nyour consideration. If you or your staff have any questions regarding this response, please\ncontact Steve Heare, Director, Drinking Water Protection Division, at 202-564-7992 or Terry\nHoward, OW Information Security Officer, at 202-564-0385.\n\n\n\n\n                                               8\n\n\x0c                                                                            Appendix B\n\n                                    Distribution\n\nOffice of the Administrator\nAssistant Administrator for Water\nActing Assistant Administrator for Environmental Information\nActing Director, Technology and Information Security Staff\nAudit Followup Coordinator, Office of Water\nAudit Followup Coordinator, Technology and Information Security Staff\nAgency Followup Official (the CFO)\nAgency Followup Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for Public Affairs\nActing Inspector General\n\n\n\n\n                                              9\n\n\x0c'